Audit & Assurance · Information Systems & IT Audit
Cyber Security Control & IT Risk Review
Cyber risk is now a Board-level line item, not an IT department memo.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Cyber risk is now a Board-level line item, not an IT department memo. Regulators — SEBI, RBI, IRDAI, CERT-In, and the Ministry of Electronics and IT — have moved cybersecurity from a discretionary good practice to a documented, testable, reportable obligation, with real deadlines and real penalties attached. At PNPC Global, we have supported Boards and Audit Committees across India and the UAE since 1986 with the assurance work that sits underneath every governance certification. A Cyber Security Control & IT Risk Review gives your Board, your statutory auditor, and your regulator independent, evidence-based comfort that your controls are designed properly and are actually operating — not just documented in a policy nobody follows.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
A Cyber Security Control & IT Risk Review is an independent assessment of the policies, technical controls, and governance processes an organisation has in place to protect its information systems, data, and digital infrastructure from unauthorised access, disruption, and compromise — and of how effectively those controls actually operate in day-to-day use. Unlike a penetration test, which simulates an attack to find exploitable technical vulnerabilities, or a certification audit for a specific standard, a control and IT risk review takes a governance, risk, and controls (GRC) lens: it maps your IT risk universe, evaluates the design of controls against a recognised framework (commonly COBIT 2019, ISO/IEC 27001:2022, or the NIST Cybersecurity Framework), tests whether those controls are operating as designed, and reports gaps with a prioritised remediation roadmap that the Board and Audit Committee can act on.
In India, this work increasingly sits at the intersection of several distinct but overlapping regulatory obligations rather than being a purely voluntary exercise. SEBI-registered intermediaries and market infrastructure institutions — stock exchanges, depositories, clearing corporations, stock brokers, mutual funds/AMCs, RTAs, depository participants, and other SEBI Regulated Entities — fall under SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF), which consolidated and superseded the earlier sector-specific SEBI cyber circulars and requires periodic risk assessments, defined incident response and reporting timelines, and Board-level oversight through a designated Chief Information Security Officer (CISO) function. Listed companies more broadly carry a related but distinct obligation — cybersecurity incident and materiality disclosures under SEBI's Listing Obligations and Disclosure Requirements (LODR) Regulations — which is a narrower disclosure duty rather than the full CSCRF control framework, though a listed company that is itself a SEBI-registered intermediary (a listed broker or AMC, for instance) carries both. Banks, NBFCs, and payment system operators regulated by the Reserve Bank of India operate under RBI's cybersecurity framework circulars, which mandate a Board-approved cyber security policy distinct from the general IT policy, periodic vulnerability assessment and penetration testing (VAPT), and defined cyber-crisis management plans. Every entity handling computer resources in India — regardless of sector — is also subject to CERT-In's April 2022 directions under Section 70B of the Information Technology Act 2000, which mandate reporting of specified categories of cyber incidents to CERT-In within six hours of detection and require designated entities to maintain logs of ICT systems for a rolling 180-day period within India.
Statutory auditors increasingly reach into the IT control environment as part of their own work under the Companies Act 2013 as well. Where financial reporting depends on IT systems — which, in practice, is virtually every company today — the auditor's opinion on Internal Financial Controls under Section 143(3)(i) and the CARO 2020 commentary on internal controls implicitly depend on the IT General Controls (ITGC) that sit underneath the financial application: access provisioning and de-provisioning, change management, backup and recovery, and job scheduling. A cybersecurity and IT risk review commissioned proactively, ahead of the statutory audit, surfaces and remediates ITGC and broader cyber-risk gaps before they surface as audit findings, management letter points, or — in the worst case — a control failure that leads to a data breach, financial fraud, or a reportable incident under the Digital Personal Data Protection Act 2023.
The review typically culminates in a structured report to the Board or Audit Committee — often as a specific agenda item under the IT Strategy Committee or Risk Management Committee where one exists — classifying each finding by severity, mapping it to the governing framework's control reference, and setting owner-assigned remediation timelines. For regulated entities, this report frequently forms part of the evidentiary basis for the CISO's periodic reporting to the Board and for representations made to SEBI, RBI, or IRDAI on the adequacy of the cybersecurity posture. For unregulated but growing companies, the same discipline is increasingly a precondition for enterprise sales, insurance underwriting for cyber-liability cover, and investor due diligence.
When a Cyber Security Control & IT Risk Review makes sense
You are a SEBI-registered intermediary or market infrastructure institution (stock broker, mutual fund/AMC, depository participant, RTA, exchange, clearing corporation, or similar Regulated Entity) and SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) requires periodic risk assessment, Board reporting, and CISO oversight of your cyber posture — or you are a listed company with cybersecurity incident and materiality disclosure obligations under SEBI's LODR Regulations
You are a bank, NBFC, payment aggregator, or other RBI-regulated entity subject to a Board-approved cybersecurity policy, mandatory periodic VAPT, and a defined cyber-crisis management plan under RBI's cybersecurity framework circulars
Your statutory auditor's IFC review under Section 143(3)(i) or CARO 2020 commentary depends on IT General Controls — access management, change management, backups — that have never been independently tested
You process or store personal data at scale and need to assess your control readiness ahead of the Digital Personal Data Protection Act 2023 rules taking full effect, including breach notification and data fiduciary obligations
You are a designated entity under CERT-In's April 2022 directions and need to confirm your logging retention (180 days, India-located), incident reporting workflow, and NTP synchronisation practices are actually in place — not just documented
A cyber incident, ransomware attempt, phishing compromise, or unauthorised access event has already occurred, and the Board or Audit Committee wants an independent root-cause and control-gap assessment, not an internal IT team's self-review
You are pursuing cyber-liability insurance and the underwriter's proposal form requires evidence of a recent independent security control assessment, not just a self-certified questionnaire
You are preparing for a funding round, enterprise customer onboarding, or vendor empanelment where the counterparty's due diligence checklist requires evidence of a documented, tested information security control environment
Your organisation has grown quickly — new offices, new SaaS tools, remote/hybrid workforce, BYOD — and IT risk has outpaced the last time policies and access controls were reviewed
When a different engagement fits better
You need to know whether specific systems can be technically breached right now — that calls for a Vulnerability Assessment & Penetration Test (VAPT), a narrower and more technical engagement than a governance-level control review, though the two are complementary and often sequenced together
You need formal certification against ISO/IEC 27001 for a customer contract or tender requirement — that requires a certification audit by an accredited certification body; PNPC can prepare you for it, but cannot issue the certificate itself
You are a very early-stage startup with minimal customer data, no regulatory trigger, and no near-term enterprise sales or funding requirement — a lighter security hygiene checklist embedded in your IT setup is more proportionate than a full framework-based review
You need an ongoing, always-on security operations capability — continuous monitoring, SIEM alerting, 24x7 SOC — which is a managed security service, not a periodic assurance engagement
Your primary need is drafting or updating IT and data protection policies from scratch with no existing control environment to assess — that is a policy-drafting engagement that should typically precede, not replace, a control review
You need software code security review (secure code review, SAST/DAST) for a specific application under development — that is an application security engagement, narrower in scope than an organisation-wide IT risk review
Cyber Security Control & IT Risk Review vs related IT assurance and security engagements
| Feature | Cyber Security Control & IT Risk Review | VAPT (Penetration Test) | ISO 27001 Certification Audit | IT General Controls (ITGC) Review | SOC 2 Report |
|---|---|---|---|---|---|
| Primary objective | Assess design & operating effectiveness of cybersecurity governance and controls against a framework | Actively attempt to exploit technical vulnerabilities in systems and networks | Certify an Information Security Management System (ISMS) meets ISO/IEC 27001 requirements | Assess controls specifically over IT systems supporting financial reporting | Report on service organisation controls for user entities and their auditors |
| Governing framework | COBIT 2019 / ISO 27001 / NIST CSF, mapped to applicable Indian regulatory requirements | OWASP Testing Guide, PTES, or similar technical methodology | ISO/IEC 27001:2022 standard clauses and Annex A controls | COSO / COBIT, scoped to financially relevant systems | AICPA Trust Services Criteria (international, common for SaaS exports) |
| Statutory/regulatory trigger in India | SEBI CSCRF (SEBI-registered intermediaries/market infrastructure institutions), SEBI LODR (listed cos, disclosure only), RBI cyber framework (banks/NBFCs), CERT-In directions (all entities), DPDP Act readiness | Often a component required by SEBI CSCRF, RBI framework, PCI-DSS, or customer contracts — not independently mandated by a single Indian statute | Not mandated by Indian law — market/customer/tender driven | Feeds Section 143(3)(i) auditor opinion and CARO 2020 IFC commentary | Not mandated in India — driven by international (mainly US) customer/vendor requirements |
| Who performs it | Independent CA/risk advisory firm with IT audit specialisation, reporting to Board/Audit Committee | Specialised penetration testing team (often CERT-In empanelled for regulated-entity engagements) | Accredited ISO certification body (PNPC prepares; cannot certify) | Statutory auditor or independent IT audit specialist, often coordinated with the financial audit | Independent CPA/CA firm licensed for SOC engagements |
| Output | Board/Audit Committee report — control matrix, gap classification, remediation roadmap | Technical vulnerability report with CVSS severity ratings and proof-of-concept detail | Certificate of conformity (valid 3 years, with annual surveillance audits) | Gap report feeding the statutory audit file and management letter | SOC 2 Type I (point in time) or Type II (period of operation) report |
| Typical frequency | Annually, or per regulator-mandated cycle (SEBI/RBI often prescribe periodicity) | Annually at minimum; more often for regulated/high-risk entities or after major system changes | Initial certification + annual surveillance + 3-year recertification | Annually, alongside the statutory audit cycle | Type II typically covers a 6–12 month observation period, repeated annually |
| Relationship to statutory audit | Directly supports and de-risks the Sec 143(3)(i) IFC opinion where IT underpins financial reporting | Indirect — findings may be referenced if a vulnerability has financial-reporting relevance | Independent of statutory audit; may be referenced in customer/vendor due diligence | Forms part of the statutory audit working papers | Independent of Indian statutory audit; relevant mainly for export-oriented SaaS clients |
| Typical engagement length | 6–10 weeks depending on entity size and scope | 1–3 weeks technical testing window, plus reporting | Several months of ISMS build-out before a 1–2 week certification audit | 3–6 weeks, scoped to financially relevant systems | Observation period (6–12 months) plus several weeks of reporting |
This table is directional. The right combination — a control review, VAPT, ITGC review, and/or certification support — depends on your regulatory category, customer requirements, and current maturity. Many PNPC clients run a Cyber Security Control & IT Risk Review as the governance-level umbrella, with VAPT commissioned as a technical component within it. A scoping conversation is the right starting point.
| # | Stage & What PNPC Does | CA Advice Portals Never Give | Timeline |
|---|---|---|---|
| 1 | Scoping & Regulatory Mapping — understanding which frameworks actually apply to you | We ask what a generic security vendor rarely asks first: are you a SEBI-registered intermediary or market infrastructure institution (CSCRF applies) or a listed company with LODR disclosure duties only? RBI-regulated (separate cyber policy and VAPT cadence required)? A CERT-In 'designated entity' with 180-day logging obligations? Handling data that will trigger DPDP Act fiduciary duties? The applicable regulatory stack determines the review scope, the reporting cadence, and the Board-level oversight structure we design around — before any technical work begins. | Week 1 |
| 2 | IT Asset & Risk Universe Mapping — what systems, data, and third parties are actually in scope | Most organisations underestimate their own IT footprint — shadow IT (unsanctioned SaaS tools), vendor-managed infrastructure, and legacy systems nobody remembers commissioning. We build a current-state inventory of systems, data flows, and third-party/vendor access points, because a control review scoped against an incomplete asset list gives false comfort. | Week 1–2 |
| 3 | Governance & Policy Review — is there a Board-approved cybersecurity policy, and does it match reality? | A cybersecurity policy copied from a template and never updated is worse than no policy — it creates a documented gap between what the Board believes is happening and what is actually happening. We review the Information Security Policy, Acceptable Use Policy, Data Classification Policy, Incident Response Plan, and BCP/DR Plan against both the applicable framework and actual operating practice. | Week 2 |
| 4 | Access Control & Identity Management Testing — who can access what, and why | We test user access provisioning and de-provisioning end-to-end: is access granted on a documented request with approval? Is it removed promptly on role change or exit — a control that fails constantly in fast-growing companies? Is privileged/admin access restricted and logged? Are shared or generic logins in use (a common but high-risk shortcut)? Segregation of duties within critical systems is assessed here, not assumed. | Week 2–3 |
| 5 | Network & Infrastructure Control Review — perimeter, segmentation, and configuration baseline | We review firewall rule-sets, network segmentation between production and non-production environments, patch management cadence, endpoint protection deployment, and secure configuration baselines against a recognised hardening standard (such as CIS Benchmarks) — evaluated for design adequacy, coordinated with VAPT findings where a technical test is also commissioned. | Week 3–4 |
| 6 | Data Protection & DPDP Act Readiness Assessment — classification, encryption, retention, consent | Personal data handling now carries direct statutory exposure. We assess data classification discipline, encryption of data at rest and in transit for sensitive categories, retention and secure-disposal practices, and — for entities that will be data fiduciaries under the DPDP Act 2023 — the consent architecture and breach-notification readiness the Act and its rules will require. | Week 3–4 |
| 7 | Third-Party & Vendor Risk Review — the control gap most organisations never test | Data breaches increasingly originate through a vendor, not the primary organisation. We review vendor onboarding due diligence, data-sharing agreements and their security clauses, and whether critical vendors (cloud hosting, payroll processors, SaaS tools handling customer data) have been assessed for their own control posture — a step most internal reviews skip entirely. | Week 4 |
| 8 | Incident Response & CERT-In Compliance Testing — is the six-hour reporting workflow real or theoretical? | CERT-In's April 2022 directions require reporting of specified incident categories within six hours of detection, and mandate 180-day log retention within India with synchronised network time. We test whether the incident response plan has actually been exercised (tabletop or live), whether logging meets the retention and localisation requirement, and whether the organisation could genuinely meet the six-hour window if an incident occurred today. | Week 4–5 |
| 9 | IT General Controls (ITGC) Testing for Financial Systems — the link to your statutory audit | Where financial reporting depends on ERP, accounting, or billing systems, we specifically test the ITGCs — change management for system configuration, backup and recovery testing (not just backup existence), and job scheduling controls — using the same lens the statutory auditor will apply under Section 143(3)(i) and CARO 2020, so findings here pre-empt audit findings later. | Week 5 |
| 10 | Gap Classification & Risk Rating — Critical, High, Medium, Low, mapped to framework control references | Not every finding carries equal weight. We classify each gap by severity and likelihood, map it to the specific COBIT/ISO 27001/NIST control reference and, where applicable, the specific SEBI/RBI/CERT-In requirement it relates to — so the remediation priority is defensible to the Board and, if needed, to a regulator. | Week 5–6 |
| 11 | Management Discussion & Draft Report — validating findings before they are finalised | Findings are walked through with IT leadership and process owners before the report is finalised — both to confirm factual accuracy and to begin remediation planning immediately, rather than presenting the Board with a surprise report that generates more questions than answers. | Week 6 |
| 12 | Remediation Roadmap — prioritised, owner-assigned, dated, with interim compensating controls | A gap list without an execution plan is next year's audit finding repeated. We build a roadmap with named owners, realistic target dates given your team's capacity, and interim compensating controls for anything classified Critical or High that cannot be fixed immediately. | Week 6–7 |
| 13 | Board / Audit Committee / IT Strategy Committee Presentation — the governance evidence trail | We present findings directly to the Board, Audit Committee, or IT Strategy Committee (where one exists), giving directors and the CISO the documented, evidentiary basis for their own periodic reporting obligations under SEBI CSCRF, RBI's framework, or general Section 134(5)(e) IFC certification. | Week 7 |
| 14 | Post-Remediation Verification — confirming fixes actually took effect | A remediation marked complete by the IT team is not the same as a remediation independently verified as operating. We re-test a sample of remediated controls before the next audit or reporting cycle to confirm the fix is embedded — not just closed in a tracker. | 8–12 weeks after initial report, timed to your compliance calendar |
A first-time review for a mid-sized company typically runs 6–8 weeks end-to-end for the assessment and report, with remediation verification following 2–3 months later. Regulated entities (SEBI CSCRF-covered intermediaries, RBI-regulated) with a defined reporting cadence are scheduled to that cycle. Subsequent-year reviews, building on an existing control matrix and asset inventory, are typically faster.
Board-approved Information Security / Cybersecurity Policy — distinct from a general IT policy; RBI-regulated entities specifically require a separate Board-approved cybersecurity policy
IT Strategy Committee / Risk Management Committee / Audit Committee minutes referencing cybersecurity discussions for the review period
Incident Response Plan and Business Continuity / Disaster Recovery (BCP/DR) Plan, along with evidence of the last test or tabletop exercise conducted
Data Classification Policy and Acceptable Use Policy currently in force
Prior cybersecurity audit reports, VAPT reports, or ISO 27001 surveillance audit findings, if any exist
Organisation chart showing the CISO or equivalent security ownership role and its reporting line to the Board or a Board committee
Current IT asset inventory — servers, endpoints, network devices, and cloud infrastructure accounts (AWS/Azure/GCP or equivalent)
Network architecture diagram showing segmentation between production, non-production, and corporate network zones
List of all SaaS applications and third-party tools in active use, including any procured outside a formal IT procurement process (shadow IT)
Patch management records and endpoint protection (antivirus/EDR) deployment coverage report
Firewall rule-set export and configuration baseline documentation for critical infrastructure
Current user access list for all critical systems (ERP, financial systems, core business applications), with role/privilege mapping
Access provisioning and de-provisioning records for the review period, including evidence of timely removal on employee exit or role change
Privileged/administrator account inventory and log of privileged access usage
Multi-factor authentication (MFA) coverage report across email, VPN, and critical system access
Password policy and evidence of enforcement (complexity, rotation, lockout settings)
Data inventory / data mapping showing categories of personal data collected, where stored, and retention period applied
Encryption standards documentation for data at rest and in transit for sensitive/personal data categories
Consent capture mechanism documentation, where personal data is collected directly from data principals (customers, employees)
Data-sharing and data processing agreements with third-party vendors handling personal data on the company's behalf
Data breach / incident log for the review period, if any incidents occurred, along with the response taken
Log retention configuration evidence — confirming logs of ICT systems are retained for a rolling 180 days and stored within India as required under CERT-In's April 2022 directions
Network Time Protocol (NTP) synchronisation configuration — CERT-In directions require system clocks to be synchronised to designated time servers
Security monitoring / SIEM tool configuration and sample alert-to-resolution records, where such a tool is deployed
Any cyber incident reports filed with CERT-In during the review period, along with the internal timeline from detection to reporting
List of critical third-party vendors with access to systems or data — cloud hosting, payroll processor, payment gateway, SaaS tools handling customer data
Vendor due diligence records or security questionnaires completed for critical vendors
Copies of Master Service Agreements or Data Processing Agreements containing security and confidentiality clauses with key vendors
Any vendor-side certifications (ISO 27001, SOC 2) provided by critical vendors as evidence of their own control posture
Change management log for the ERP or core financial system — configuration changes, approvals, and testing evidence for the review period
Backup schedule and evidence of periodic backup restoration testing — not merely confirmation that backups run
Job scheduling and batch processing controls documentation for automated financial processes, where applicable
System access review sign-off records for financially relevant applications, evidencing periodic management review of who has access
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Baseline Review (Year 1) | Regulatory trigger, Board direction, or growth-driven risk exposure | Full scoping against applicable frameworks (SEBI CSCRF / RBI cyber framework / CERT-In / DPDP Act as relevant), asset and risk mapping, governance and technical control testing, gap classification, and a Board-ready remediation roadmap. | Undiscovered control gaps persist silently until an incident, a regulator inspection, or a statutory audit finding forces reactive, more costly remediation under pressure. |
| Remediation Execution (Months 1–4 post-review) | Findings report delivered | Owner-assigned, dated remediation tracking with PNPC follow-up. Interim compensating controls advised for anything classified Critical or High that cannot be closed immediately — access restriction, additional monitoring, manual review steps — until the permanent fix is implemented. | Findings marked 'in progress' indefinitely with no independent verification recur as the same finding in the next audit or regulatory inspection, undermining Board and auditor confidence in the remediation process. |
| Verification & Sign-off (Months 4–6) | Remediation deadlines reached | Independent re-testing of a sample of remediated controls to confirm operating effectiveness — not a desk review of a status update from the IT team. Findings are formally closed only on verified evidence. | Controls reported as 'closed' without verification create a false record relied upon by the Board's Sec 134(5)(e) certification and the statutory auditor's Sec 143(3)(i) opinion — a governance exposure if a gap resurfaces. |
| Statutory Audit Coordination (Year-end) | Financial year close approaching | Handover of the control matrix, testing evidence, and remediation status to the statutory auditor in a format that supports their ITGC reliance and Sec 143(3)(i)/CARO 2020 work — reducing duplicate testing and helping keep the audit timeline on schedule. | Unresolved IT control gaps discovered independently by the statutory auditor during year-end fieldwork generate audit findings, management letter points, or, for material weaknesses, qualified reporting under CARO 2020. |
| Regulatory Reporting Cycle | SEBI CSCRF / RBI framework prescribed periodicity | Alignment of the review cadence to the specific regulatory reporting calendar — CSCRF and RBI circulars prescribe periodic assessment and Board reporting intervals — so the review output is available in time to support the CISO's and Board's statutory representations. | Missed or late alignment to the regulator's prescribed cycle exposes the entity to supervisory findings, and in serious cases, regulatory action for inadequate cyber governance. |
| Incident Response Activation | Actual cyber incident — breach, ransomware, unauthorised access | Independent root-cause and control-failure assessment distinct from the internal IT team's own incident report — supporting the six-hour CERT-In reporting workflow where applicable, Board notification, and (where personal data is involved) DPDP Act breach-notification obligations. | A self-assessed incident response without independent review risks incomplete root-cause identification, repeat incidents, and — if statutory notification deadlines are missed — separate regulatory exposure on top of the incident itself. |
| Annual Refresh & Re-scoping | New systems, new vendors, organisational growth, M&A | Re-scoping the asset inventory and risk universe annually — new SaaS tools, new offices, new acquisitions, and workforce changes all shift the risk profile. A control matrix built for last year's IT footprint gives false comfort against this year's actual exposure. | A stale review that does not reflect current systems and vendors leaves genuinely new risk areas — the newest SaaS tool, the newly acquired subsidiary's legacy systems — completely untested. |
This lifecycle reflects a typical mid-sized company's cadence. Regulated entities (SEBI CSCRF-covered intermediaries, RBI-regulated) should align the review and reporting phases to their specific framework's prescribed periodicity rather than a generic annual assumption — PNPC confirms the applicable cadence during scoping.
What exactly is a Cyber Security Control & IT Risk Review, in plain terms?
It is an independent check on whether your organisation's cybersecurity policies and technical controls are properly designed and are actually being followed in practice — not just written down. We map your IT risk areas, test access controls, network security, data protection practices, incident response readiness, and vendor risk against a recognised framework, then report gaps to your Board or Audit Committee with a prioritised plan to fix them.
Is this the same as a penetration test?
No. A penetration test (VAPT) actively attempts to technically exploit vulnerabilities in your systems and networks to see what an attacker could achieve. A Cyber Security Control & IT Risk Review takes a broader governance and controls view — policies, access management, vendor risk, incident response readiness, and regulatory compliance — and evaluates whether the overall control environment is sound. The two are complementary; many clients commission VAPT as a technical component within the broader review, but they are not interchangeable.
Does my company legally need this review, or is it optional?
It depends on your regulatory category. SEBI-registered intermediaries and market infrastructure institutions (stock brokers, mutual funds/AMCs, depository participants, RTAs, exchanges, clearing corporations, and similar Regulated Entities) fall under SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF), which mandates periodic risk assessment and Board-level reporting; listed companies generally (even if not a CSCRF-covered intermediary) carry a narrower cybersecurity incident and materiality disclosure obligation under SEBI's LODR Regulations. Banks, NBFCs, and payment system operators fall under RBI's cybersecurity framework circulars, which require a Board-approved cybersecurity policy and periodic VAPT. Every entity that is a 'designated entity' under CERT-In's April 2022 directions has specific logging and incident-reporting obligations. If none of these apply to you directly, the review is not a standalone statutory requirement — but it remains good governance practice, particularly if IT systems underpin your financial reporting (relevant to your statutory auditor's Section 143(3)(i) opinion) or if you handle personal data that will trigger obligations under the Digital Personal Data Protection Act 2023.
What is SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF)?
CSCRF is SEBI's consolidated cybersecurity framework applicable to SEBI-registered intermediaries and market infrastructure institutions in the securities market — stock exchanges, depositories, clearing corporations, stock brokers, mutual funds/AMCs, RTAs, depository participants, and other categories of SEBI Regulated Entities — that brought together and updated the earlier sector-specific cyber circulars into a single framework. It requires periodic cyber risk assessments, defined incident detection and reporting timelines, a designated CISO function reporting to the Board, and specific controls around data localisation and audit requirements depending on the entity category. Listed companies that are not themselves SEBI-registered intermediaries fall outside CSCRF's direct scope but carry a related, narrower obligation — cybersecurity incident and materiality disclosure under SEBI's LODR Regulations.
What are CERT-In's cyber incident reporting directions and do they apply to us?
CERT-In (Indian Computer Emergency Response Team), under Section 70B of the Information Technology Act 2000, issued directions in April 2022 that apply broadly to entities operating computer resources in India. Key obligations include: reporting specified categories of cyber security incidents (data breaches, ransomware, unauthorised access, and others listed in the directions) to CERT-In within six hours of detection or of being made aware of the incident; maintaining logs of all ICT systems for a rolling period of 180 days, stored within India; and synchronising system clocks to designated time sources. These directions apply broadly — not just to large or regulated entities.
How does this review connect to my statutory audit?
Where your financial reporting depends on IT systems — which is the case for virtually every company today — your statutory auditor's opinion under Section 143(3)(i) of the Companies Act 2013 on Internal Financial Controls, and the CARO 2020 commentary on internal controls, both implicitly rely on the IT General Controls underneath your financial systems: access management, change management, backup and recovery. A cybersecurity control review conducted ahead of the year-end audit surfaces and fixes these gaps proactively, rather than having the statutory auditor discover them during audit fieldwork and raise them as findings or management letter points.
What framework do you assess against — ISO 27001, COBIT, or something else?
We typically assess against COBIT 2019 for governance and management objectives, cross-referenced with ISO/IEC 27001:2022 Annex A controls and, where relevant, the NIST Cybersecurity Framework — and map findings to the specific applicable Indian regulatory requirement (SEBI CSCRF, RBI framework, CERT-In directions, DPDP Act) so the report is directly useful for your actual compliance obligations, not just a generic international benchmark.
How long does the review take?
A first-time review for a mid-sized company typically takes 6–8 weeks for the assessment and report, followed by remediation verification 2–3 months later. Larger or more complex organisations, or those with multiple regulated entities/subsidiaries in scope, take longer. Subsequent-year reviews, building on an established asset inventory and control matrix, are typically faster since the framework only needs updating for what has changed.
What does the review actually cost?
The fee depends on the number of systems and locations in scope, whether VAPT is bundled in, the applicable regulatory framework, and organisational size and complexity. PNPC provides a written scope and fixed fee after the initial scoping conversation — we do not quote a number before understanding your IT footprint and regulatory category, because a review scoped for a 30-person single-office company and one scoped for a multi-entity, RBI-regulated group are not comparable engagements.
We already have an internal IT team that manages security. Why do we need an external review?
Internal IT teams are usually the ones who designed and operate the controls being tested — an internal self-review has an inherent conflict of interest and, more practically, an internal team often cannot see its own blind spots. Independent review provides objectivity the Board and Audit Committee (and, where applicable, a regulator) can actually rely on. It is also frequently a specific expectation under SEBI CSCRF and RBI's cybersecurity framework that the assessment carries genuine independence from day-to-day IT operations.
What happens if the review finds a critical gap — do you report it to the regulator?
PNPC's role in this engagement is to report findings to your Board, Audit Committee, or IT Strategy Committee — the decision on any external disclosure (to a regulator, to affected data subjects, or otherwise) rests with your organisation and its legal counsel, guided by the specific statutory trigger involved. Where a finding relates to an actual incident that meets CERT-In's reportable categories, the six-hour reporting clock is a separate, time-bound legal obligation that exists independently of our review — we flag this immediately if we identify it during fieldwork.
Do you also perform the penetration testing (VAPT), or only the governance review?
PNPC scopes and coordinates VAPT as part of a combined engagement where clients want both the governance-level control review and the technical penetration test, working with specialised technical testing partners for the hands-on exploitation work while PNPC leads the overall scoping, framework mapping, Board reporting, and remediation governance.
What is the Digital Personal Data Protection Act 2023 and how does it affect this review?
The DPDP Act 2023 is India's comprehensive data protection legislation, governing how organisations (data fiduciaries) collect, process, store, and protect personal data of individuals (data principals). It introduces obligations around consent, purpose limitation, data breach notification, and reasonable security safeguards, with the detailed operational rules and effective-date provisions being notified in phases. As part of this review, we assess your data classification, encryption, retention, and consent-architecture readiness against the Act's requirements, so that when the operational rules are fully in force, your control environment is not starting from zero.
What is an IT General Control (ITGC) and why does it matter for a financial audit?
IT General Controls are the foundational controls over an IT environment that support the reliability of application-level controls and, in turn, financial reporting — access management (who can get into a financial system and how that is granted/removed), change management (how changes to system configuration are approved and tested), backup and recovery (whether financial data can actually be restored if lost), and job scheduling (whether automated financial processes run reliably and completely). If ITGCs are weak, an auditor cannot rely on any application control that depends on that IT environment — which can significantly increase the scope and cost of substantive testing in the statutory audit.
How is a Critical, High, Medium, or Low finding actually defined?
We classify findings using a consistent risk-rating methodology based on the likelihood of the control gap being exploited or causing harm, and the potential impact if it is — financial, regulatory, reputational, or operational. A Critical finding typically involves an active exploit path to sensitive data or financial systems with no compensating control. High findings represent a significant control gap that is not immediately exploitable but poses material risk. Medium and Low findings represent design or process gaps with lower immediate risk but that still warrant remediation to avoid future exposure.
Can this review help us get cyber-liability insurance or reduce our premium?
Many cyber-liability insurers now require or reward evidence of an independent, recent security assessment as part of underwriting — some proposal forms ask for it directly, and insurers increasingly price premiums based on demonstrated control maturity rather than self-certified questionnaires alone. A completed review with a clean or well-remediated findings profile can support both the underwriting process and, in some cases, more favourable terms, though PNPC does not control or guarantee insurer pricing decisions.
We are a startup with no external funding yet. Do we really need this?
Not necessarily as a full framework-based review. Very early-stage companies with minimal customer data, no regulatory trigger, and no near-term funding or enterprise-sales requirement are generally better served by a lighter security hygiene checklist folded into their broader IT and accounting setup. The formal review becomes proportionate once you handle meaningful customer data, approach a funding round where investor due diligence will ask about it, or start selling to enterprise customers whose vendor onboarding requires evidence of a control environment.
What is the difference between a 'control deficiency,' a 'significant deficiency,' and a 'material weakness'?
These are severity classifications commonly used in control assessments, borrowed from the same conceptual framework used in Internal Financial Controls reporting. A control deficiency exists when a control is not designed or operating in a way that allows timely prevention or detection of a risk, but the impact is limited. A significant deficiency is more severe and merits attention from those responsible for governance. A material weakness represents a reasonable possibility that a material misstatement, breach, or loss will not be prevented or detected in a timely manner — the most serious category, typically requiring immediate Board and, where relevant, auditor attention.
Does PNPC provide ongoing monitoring after the review, or is it a one-time engagement?
The core review is a periodic point-in-time (or period-of-review) assessment, not continuous monitoring — continuous security operations (SIEM alerting, 24x7 SOC) is a different, always-on managed service that PNPC does not itself operate. What PNPC does provide is remediation tracking through to verified closure, and typically an annual or regulator-cadence-aligned refresh review, so your control environment does not go untested again until the next incident or audit finding forces the issue.
What is the role of the CISO, and do we need to formally appoint one?
A Chief Information Security Officer (CISO) is the designated individual accountable for an organisation's information security posture and its reporting to the Board or a Board committee. SEBI's CSCRF specifically requires designated regulated entities to have a CISO function with a defined reporting line. RBI's framework similarly expects clear ownership of cybersecurity at a senior level for regulated entities. Even where not mandated, having a named accountable owner — whether a dedicated CISO, a CTO with the responsibility formally assigned, or an outsourced virtual CISO arrangement — is fundamental to the control environment actually functioning, since a review with no accountable owner on the other end tends to see its remediation roadmap stall.
How does PNPC's Chennai/Bangalore/Hyderabad/Dubai presence matter for this kind of review?
For groups with operations spanning India and the UAE, we coordinate the review across jurisdictions under one engagement — assessing the Indian entity against SEBI/RBI/CERT-In/DPDP Act requirements as relevant, and coordinating with the UAE entity's own data protection and cybersecurity obligations under UAE federal and free-zone frameworks, so the Board gets one consistent risk picture rather than two disconnected reports from two different advisors.
What if we do not have any formal IT policies at all — can you still conduct the review?
Yes. Absence of documented policy is itself a finding, and one of the most common starting points we see. We assess actual practice against the applicable framework regardless of whether formal policy exists, and the remediation roadmap will typically include drafting or formalising the missing policy documents as a first-tier action item alongside any technical control gaps.
Will the review disrupt our day-to-day IT operations?
Generally no. The review is predominantly document review, interviews, configuration exports, and log analysis rather than intrusive testing of live systems. Where any testing does touch production systems (such as certain access control tests), we schedule it in coordination with your IT team during low-impact windows and confirm the approach in advance.
What is the difference between this review and a management self-assessment questionnaire?
A management self-assessment is an internal exercise — typically a checklist completed by the IT or security team itself, with no independent testing of whether the answers reflect reality. It carries no external assurance value for a Board, auditor, or regulator. A Cyber Security Control & IT Risk Review is performed by an independent party, involves actual testing of evidence (access logs, configuration exports, sampled transactions) rather than self-reported answers, and produces a report that carries genuine evidentiary weight for governance and, where relevant, regulatory purposes.
Can findings from this review affect our company's insurance claims if a breach occurs later?
Potentially, depending on your policy terms — many cyber-liability policies include representations and warranties about the security controls in place at the time of underwriting, and a documented history of known, unremediated Critical or High findings could be relevant to a claim if the breach exploited exactly that gap. This is a reason to treat remediation follow-through seriously, not just the initial assessment, and to discuss any material findings with your insurance broker or legal counsel.
Do smaller, unlisted, non-regulated companies ever need this review?
Yes, increasingly — not because of a direct statutory mandate, but because enterprise customers, investors, and insurers now routinely ask for evidence of a tested security control environment as a precondition of doing business. A mid-sized unlisted company selling into enterprise or government accounts, or approaching a Series A/B round, frequently finds this review requested as part of the counterparty's own due diligence checklist, well before any regulator would require it directly.
What happens during the 'IT General Controls' section if we use an accounting software provider that manages the infrastructure for us (SaaS/cloud accounting)?
Where core financial systems are hosted and managed by a third-party SaaS provider, the relevant ITGCs partly shift to that provider's environment. We assess what controls remain your organisation's responsibility (user access management within the application, approval workflows configured within the tool) versus what should be evidenced by the provider's own certifications (SOC 2 report, ISO 27001 certificate) — and flag where a provider cannot or will not furnish that evidence as a vendor risk finding in its own right.
How does this review interact with a prior year's audit findings or management letter points on IT?
We specifically request and review the prior year's statutory audit management letter and any IT-related findings as an input to scoping — a review that ignores what the statutory auditor already flagged risks either duplicating known findings without adding value or, worse, missing that a previously flagged gap was never actually closed.
Is remote/hybrid work a specific risk area you assess?
Yes. Remote and hybrid work materially expands the attack surface — VPN configuration and usage discipline, endpoint security on personally-owned (BYOD) devices, use of personal email or unsanctioned file-sharing tools for company data, and physical security of devices outside the office are all assessed as part of the access and endpoint control review, particularly for organisations that shifted to hybrid arrangements without formally updating their security policy to match.
What deliverables do we actually receive at the end of the engagement?
A written report covering: the scope and methodology, the risk and control matrix mapped to the applicable framework, detailed findings with severity classification and evidence references, a prioritised and owner-assigned remediation roadmap, and an executive summary suitable for Board or Audit Committee presentation. PNPC also delivers the findings in person to the Board, Audit Committee, or IT Strategy Committee where requested, rather than simply emailing a PDF.
How do you handle sensitive findings — do you share the full report with everyone in the organisation?
No. We agree report distribution and confidentiality handling with the engaging party (typically the Audit Committee or CFO/CISO) at the outset. Detailed technical findings, particularly anything classified Critical, are handled on a need-to-know basis, since a full vulnerability report circulated too widely can itself become a security risk if it falls into the wrong hands before remediation is complete.
Can this review be combined with our regular internal audit function?
Yes, and for organisations with an internal audit function under Section 138 of the Companies Act 2013, coordinating the cybersecurity review's timing and scope with the internal audit plan avoids duplicated effort and gives the Audit Committee one integrated risk picture rather than two separately-scheduled, overlapping reviews.
What is the earliest point in a company's lifecycle where this review becomes relevant?
There is no fixed trigger point in terms of company age — it is driven by risk exposure: the volume and sensitivity of data handled, whether a regulatory category applies, and whether enterprise customers or investors are asking for it. A company can be five years old with minimal data exposure and not yet need this review, or two years old and already need it because it processes payment data or is approaching a Series A round with investor due diligence in view.
PNPC Global vs typical cybersecurity vendors and generic IT audit providers
| Dimension | PNPC Global | Generic Security Vendor | Pure Technical VAPT Shop |
|---|---|---|---|
| Regulatory mapping (SEBI/RBI/CERT-In/DPDP) | Built into scoping — findings mapped to specific applicable clauses | Often generic international-framework only, with limited India-specific regulatory mapping | Typically out of scope — technical testing only, no regulatory interpretation |
| Link to statutory audit (Sec 143(3)(i), CARO 2020) | Explicitly coordinated with the audit calendar and ITGC testing lens | Rarely coordinated — treated as a wholly separate exercise | Not addressed — different discipline entirely |
| Board/Audit Committee presentation | Delivered in person by a senior CA, not just emailed as a PDF | Varies — often a written report only | Written technical report only, rarely presented to the Board |
| Remediation follow-through | Owner-assigned roadmap with independent post-remediation verification | Often ends at report delivery, with limited or no follow-up verification | Report delivery is the end of the technical engagement scope |
| Continuity across years | Same firm tracks findings, remediation, and the next cycle's review | Vendor relationships often reset each procurement cycle | Engaged per-project; limited institutional continuity |
| Cross-border coordination (India–UAE) | Single engagement across PNPC's India and Dubai offices | Rarely offered as an integrated service | Not typically offered |
What the PNPC package includes
- 01
Regulatory scoping against SEBI CSCRF, RBI cybersecurity framework, CERT-In directions, and DPDP Act readiness, specific to your entity category
- 02
Full IT asset and risk universe mapping, including shadow IT and third-party vendor access points often missed by internal reviews
- 03
Governance and policy review against your actual operating practice — not just a paper-policy check
- 04
Access control, identity management, and privileged-access testing across critical systems
- 05
IT General Controls (ITGC) testing coordinated specifically to support your statutory auditor's Section 143(3)(i) and CARO 2020 work
- 06
Data protection and DPDP Act readiness assessment, including data mapping, encryption, and consent-architecture review
- 07
CERT-In compliance testing — log retention, NTP synchronisation, and incident-response six-hour reporting readiness
- 08
Third-party and vendor risk review, including evidence review of vendor certifications (SOC 2, ISO 27001) where available
- 09
Severity-classified findings report with a prioritised, owner-assigned remediation roadmap
- 10
In-person Board, Audit Committee, or IT Strategy Committee presentation of findings
- 11
Independent post-remediation verification before the next audit or reporting cycle
Cyber risk sits on your Board's agenda whether or not you have tested it yet — talk to PNPC Global before your regulator, your auditor, or an incident does the testing for you.